I have logs as below.I would want to extract the data within the quotes
**message**: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"
Where message is a field.
I want the value as:
ABCDEFTGH
@Deepz2612 ,
Try
"Your current search" |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column
This will result in
vin Type color
ABCDEFTGH Obs-AVE ABSOLUTE BLACK
Try this
| makeresults
| eval test ="**message**: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\""
| rex field=test "\"vin\":\"(?<vin>.*)\",\"Type\":\"(?<Type>.*)\",\"color\":\"(?<color>.*)\""
| table vin, Type, color
@Deepz2612 ,
Try
"Your current search" |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column
This will result in
vin Type color
ABCDEFTGH Obs-AVE ABSOLUTE BLACK
Hi,
The question here is how do i extract the data within the quotes.
message: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"
message: "vin":"EFGHTYB","Type":"Obs-ABE","color":"BLACK"
Like in the logs above ,I would want to extract the values as between the quotes as a field value.
eg: whatever data follows after the word "vin":" and ended with ", should be extracted as one field.
ABCDEFTGH
Have you tried the query provided by me and @renjith.nair ? It is extracting ABCDEFTGH
in field vin
, Obs-AVE
in field Type
and ABSOLUTE BLACK
in field color
It did work but not in the way i expected.
I just wanted to have a reqular expression to extract the data that is present within the quotes and a colon.
rex field = message *********************
message: "vin":"EFGHTYB"
Here the data EFGHTYB is between :" and "
@Deepz2612 ,
If you just want VIN, try this
rex field=your_message_field "vin":\"(?<VIN>\w+)\""
Cool!! Thanks for your help
Hi @Deepz2612,
I am not able to find an easy way to do this but you can try below query.
<yourBaseSearch>
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time
Here is run anywhere search based on sample data
| makeresults | eval _raw="message: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\""
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time
EDIT : REGEX Updated.